KR20230009306A - Method and apparatus for detecting malicious communication based session - Google Patents

Abstract

An operation method of a malicious communication detection device comprises the steps of: collecting session data between managed computing devices and external servers; grouping session data for a certain period of time into the same source and destination and calculating statistical index values for each grouped session data group; extracting communication indicators for the source and destination using the statistical index values of each session data group; and detecting any source and destination as an infected computing device and an attacker server involved in malicious communication using communication indexes for each source and destination pair. Accordingly, it is possible to quickly detect and respond to threats from malicious communication.

Description

Session-based malicious communication detection method and apparatus {METHOD AND APPARATUS FOR DETECTING MALICIOUS COMMUNICATION BASED SESSION}

The present disclosure relates to detection of malicious communication bypassing an information protection system.

The attack through the command control channel stays on the attack target network for several months and performs activities such as information collection, attack tool download, internal network attack, system destruction, and information leakage. Attack target networks are mostly protected by firewalls and intrusion detection devices, so attackers can find the initial intrusion route through various methods, such as sending mails with malicious codes attached, downloading malicious files without the user's knowledge while surfing the Internet, and attacking the computer resources of installed program providers. can be secured

Meanwhile, instead of continuously maintaining a command control channel, an internal network device infected by an attacker periodically attempts to connect to an external attacker to create a command control channel. In order to avoid detection by the internal network security manager, the infected device can periodically connect to external attackers through various methods such as non-regular protocol communication through regular ports, non-regular ports, and external cloud services.

In order to detect such internal network attacks, signature-based detection that checks the payload of packets is mainly used, but there is a problem in that packet analysis for threat detection takes longer than network communication speed. In addition, in the case of zero-day and unknown attacks, there is a problem that the threat cannot be detected because information about the signature is not identified.

Korean Registered Patent KR10-1464367 proposes a technique for detecting a command control channel based on session creation frequency to solve this problem, but there is a limit to detecting various types of recent malicious communications only with session creation frequency.

The present disclosure provides a method and apparatus for detecting session-based malicious communication.

The present disclosure provides a method and apparatus for extracting communication indicators including persistence, concealment, accessibility, signaling, directivity, and scalability based on session data and detecting malicious communication using them.

A method of operating a malicious communication detection device according to an embodiment, comprising: collecting session data in which managed computing devices and external servers are connected; grouping session data for each period with the same origin and destination; and grouping the grouped session data. Calculating statistical index values for each group, extracting communication indexes for the corresponding source and destination using the statistical index values of each session data group, and using the communication indexes for each pair of source and destination, Detecting the source and destination as the infected computing device and attacker server involved in the malicious communication.

The communication indicators may include at least a plurality of persistence, concealment, accessibility, signaling, directivity, and scalability.

The persistence is a communication index used to detect sessions that are periodically created based on the number of time intervals in which sessions exist, and can be calculated based on the number of timestamps and the connection maintenance time among the statistical index values.

The concealment is a communication index used to detect a session that has a low session generation frequency and is maintained for a long time, and may be calculated based on the number of sessions among the statistical index values.

The accessibility is a communication indicator used to detect a backdoor-type session that maintains a session by performing minimal communication, and is calculated based on the sum of connection maintenance times compared to the sum of source and destination transmission packets among the statistical index values. It can be.

The signaling is a communication index used to detect a beacon-type session maintaining a session by performing minimal communication, and is based on the sum of source and destination transmission bytes compared to the sum of source and destination transmission packets among the statistical index values. can be calculated as

The directionality is a communication index used to detect a session used for information leakage based on the amount of outbound data, and may be calculated based on a difference between the sum of source transmission bytes and the destination transmission byte sum among the statistical index values. .

The scalability is a communication index used to detect the spread of an internal network infection based on an increase in the number of departure points connected to a specific destination over time, and can be calculated based on the number of source IP addresses connected to each destination.

The detecting step may detect an infected computing device and an attacker server related to the malicious communication by comparing persistence values, accessibility values, and signaling values among the communication indicators for an arbitrary source and destination with reference values. there is.

In the detecting step, an infected computing device and an attacker server related to data exfiltration communication may be detected by comparing values of confidentiality and directionality with reference values among the communication indices for an arbitrary source and destination.

The statistical indicator value may include the number of timestamps, the sum of connection maintenance times, the sum of source transmitted bytes, the sum of destination transmitted bytes, the sum of source transmitted packets, the sum of destination transmitted packets, and the number of sessions.

A method of operating a malicious communication detection apparatus according to another embodiment, comprising: collecting session data of a source and a destination; based on the session data, the number of timestamps, the sum of connection maintenance times, the sum of transmission bytes at the source, and transmission to the destination Calculating statistical index values including the sum of bytes, the sum of source transmitted packets, the sum of destination transmitted packets, and the number of sessions; extracting communication indicators used for malicious communication detection using the statistical index values; and detecting the source and the destination as an infected computing device and an attacker server using the communication indicators.

The communication indicators may include at least a plurality of persistence, concealment, accessibility, signaling, directivity, and scalability.

The detecting step may detect whether the source and the destination are the infected computing device and the attacker server related to malicious communication by comparing values of persistence, accessibility, and signality among the communication indicators with reference values. can The persistence is a communication index used to detect sessions that are periodically created based on the number of time intervals in which sessions exist, and can be calculated based on the number of timestamps and the connection maintenance time. The accessibility is a communication index used to detect a backdoor-type session maintaining a session by performing minimal communication, and is based on the sum of the connection maintenance time compared to the sum of the source transport packets and the destination transport packets. can be calculated. The signaling is a communication indicator used to detect a beacon-type session maintaining a session by performing minimal communication, and is a sum of the source transmission bytes and the destination compared to the sum of the source transport packets and the destination transport packet. It can be calculated based on the sum of transmitted bytes.

In the detecting step, it is possible to detect whether the source and the destination are the infected computing device and the attacker server involved in data exfiltration communication by comparing values of confidentiality and directivity among the communication indices and reference values. The secrecy is a communication index used to detect a session that has a low frequency of session creation and is maintained for a long time, and can be calculated based on the number of sessions. The directionality is a communication index used to detect a session used for information leakage based on the amount of outbound data, and may be calculated based on a difference between the sum of source transmission bytes and the destination transmission byte sum.

The operating method may further include detecting spread of an internal network infection by the destination when the number of connected departure points connected to the destination increases over time.

According to the embodiment, by analyzing statistical changes in internal communication (East-West) and external communication (North-South) on a session-based basis in an on-premise or cloud network, threat signs of malicious communication can be quickly detected. can detect and respond.

According to the embodiment, additional damage can be minimized by backtracking and responding to the detected malicious communication.

According to the embodiment, zero-day and unknown threat signs may be detected in advance through communication indicators including persistence, concealment, accessibility, signaling, directivity, and scalability.

According to the embodiment, an artificial intelligence model for identifying malicious and normal behaviors may be trained from the annual relationship between communication indicators using the collected communication indicators.

1 is a diagram schematically illustrating a network environment related to a malicious communication detection apparatus according to an exemplary embodiment.
2 is a diagram illustrating communication characteristics related to a persistent communication index according to an embodiment.
3 is a diagram illustrating communication characteristics related to a confidentiality communication index according to an embodiment.
4 is a diagram illustrating communication characteristics related to signaling communication indicators according to an exemplary embodiment.
5 is a diagram illustrating communication characteristics related to a directional communication index according to an exemplary embodiment.
6 is a flowchart of a malicious communication detection method according to an embodiment.

Hereinafter, with reference to the accompanying drawings, embodiments of the present disclosure will be described in detail so that those skilled in the art can easily carry out the present disclosure. However, the present disclosure may be embodied in many different forms and is not limited to the embodiments described herein. And in order to clearly describe the present disclosure in the drawings, parts irrelevant to the description are omitted, and similar reference numerals are attached to similar parts throughout the specification.

In the description, reference numerals and names are attached for convenience of explanation, and devices are not necessarily limited to reference numerals or names.

In the description, when a part is said to "include" a certain component, it means that it may further include other components without excluding other components unless otherwise stated. In addition, terms such as “… unit”, “… unit”, and “module” described in the specification mean a unit that processes at least one function or operation, which may be implemented as hardware or software or a combination of hardware and software. there is.

1 is a diagram schematically illustrating a network environment related to a malicious communication detection apparatus according to an embodiment, FIG. 2 is a diagram illustrating communication characteristics related to a persistent communication indicator according to an embodiment, and FIG. 3 is a diagram illustrating one embodiment A diagram illustrating communication characteristics related to a confidentiality communication indicator according to an example, FIG. 4 is a diagram illustrating communication characteristics related to a signaling communication indicator according to an embodiment, and FIG. 5 is a directional communication indicator according to an embodiment It is a diagram explaining communication characteristics related to .

Referring to FIG. 1, a malicious communication detection device (simply referred to as a detection device) 100 performs internal communication (East-West) and external communication based on sessions created in an on-premise or cloud network. (North-South) communication indicators representing statistical changes are analyzed, and malicious communication is detected using the communication indicators.

The detection device 100 collects session data in which the on-premise or cloud-built computing devices 200-1, 200-2, 200-3, ... are connected to the external servers 300 and 400. Here, a session refers to a connection created for data exchange between two communication devices. Session data may include a timestamp, origin information, destination information, connection maintenance time, transmission/reception data size, and the like. Source information includes a source IP address, a source port, and the like. The destination information includes destination IP address, destination port, and the like. The size of transmitted/received data may include the number of bytes transmitted by the source/number of bytes transmitted by the destination, or the number of packets transmitted by the source/number of packets transmitted by the destination. Session data may be obtained by combining network packets generated during a connection process established based on a source and a destination.

As shown in Table 1, session data may include items obtained from network packets.

feature HTTP log Info timestamp ts This is the time of the first packet connection identifier uid unique identifier of the connection Source IP address (src_ip) id.orig_h source IP address Source port (src_port) id.orig_p port of departure Destination IP address (dst_ip) id. resp_h destination IP address Destination port (dst_port) id.resp_p destination port keep-alive time duration How long the connection lasted. The number of bytes transmitted from the source (src_bytes) orig_ip_bytes Number of IP level bytes that the originator sent Destination transfer bytes (dst_bytes) resp_ip_bytes Number of IP level bytes that the responder sent The number of packets transmitted from the source (src_pkts) orig_pkts Number of packets that the originator sent. Number of packets sent to destination (dst_pkts) resp_pkts Number of packets that the responder sent.

The detection device 100 aggregates session data for a certain period of time, groups session data having the same source and destination into one session data group, and then calculates a statistical indicator value for each session data group identified as the source and destination. The detection device 100 may identify sessions having the same source and destination among session data, and calculate statistical index values for each session data group of the source and destination, as shown in Table 2. The statistical index may include the number of timestamps, the sum of connection maintenance times, the sum of source transmitted bytes, the sum of destination transmitted bytes, the sum of source transmitted packets, the sum of destination transmitted packets, and the number of sessions. The detection device 100 may group session data having the same source and destination into analysis data of the same connection using a source IP address, a destination IP address, and a destination port.

feature Info Timestamp (ts) count
(ts_unique) number of unique values for ‘ts’ column for each group Sum of connection duration (duration_sum) sum of ‘duration’ column for each group Sum of Source Transmitted Bytes (src_bytes_sum) sum of ‘src_bytes’ column for each group Sum of Destination Transmitted Bytes
(dst_bytes_sum) sum of ‘dst_bytes’ column for each group Sum of source transmitted packets (src_pkts_sum) sum of ‘src_pkts’ column for each group Sum of destination transmitted packets
(dst_pkts_sum) sum of ‘dst_pkts’ column for each group Sessions (count) Number of sessions

The detection device 100 extracts communication indicators including persistence, concealment, accessibility, signaling, directivity, and scalability of each session data group using statistical index values for each session data group of the source and destination. The detection device 100 may determine whether the source and destination of the corresponding session data group perform malicious communication using communication indicators, and through this, detect an infected computing device and an attacker server related to malicious communication. Malicious communication refers to sessions connected for fraudulent purposes, such as targeted attacks, BotNets, Unknown Malware, insider threats, and data leakage. Communication indicators including persistence, concealment, accessibility, signaling, directivity, and scalability can be defined as shown in Table 3.

communication indicator role persistence Detect sessions that are created periodically based on the number of time intervals (BIN) in which sessions exist concealment Detect infrequent and long-lived sessions based on the number of sessions accessibility Detect backdoor-type sessions that maintain sessions by performing minimal communication signaling Detects beacon-type sessions that maintain sessions by performing minimal communication directional Detect sessions used for information exfiltration based on outbound data volume scalability Detecting the spread of internal network infections based on the increase in the number of origins connecting to a specific destination over time

Among the computing devices 200-1, 200-2, 200-3, ..., the computing device 200-1 involved in malicious communication may be referred to as an infected computing device. Among the external servers 300 and 400, the server 300 related to malicious communication is called an attacker server, and the attacker server can also be called a command & control (C&C) server. Computing devices 200-1 and 200 -2, 200-3, …) is assumed to be protected by an information protection system such as a firewall and an intrusion detection device. Then, an external attacker must create a command control channel that is periodically connected to an internal device in order to access the internal network protected by the information security system. To this end, an attacker may infect a computing device 200-1 among the computing devices 200-1, 200-2, 200-3, ... through an e-mail or program with a malicious code attached thereto. The infected computing device 200-1 periodically connects to the attacker server 300, receives commands, and performs operations according to the commands. The detection device 100 may find characteristics of a command control channel based on communication indicators analyzed using session data of each session data group.

A method for the detection device 100 to calculate communication indicators of persistence, concealment, accessibility, signaling, directivity, and scalability will be described in detail.

First, the persistent communication index is explained. Persistence is a communication metric for detecting sessions that are created periodically for status transmission or command acknowledgment.

Referring to FIG. 2 , the infected computing device 200-1 periodically accesses the attacker server 300 and transmits its status or checks the command until a command is received from the attacker server 300 . In order to identify continuous and mechanical network communication between the infected computing device 200-1 and the attacker server 300, the detection device 100 uses the session data of each session data group to connect the corresponding source and destination. It is possible to calculate a communication index representing the persistence of

The detection device 100 is a time interval in which a session exists, based on a timestamp and a connection duration (duration), in session data of a certain period (eg, 24 hours or 12 hours) grouped to the same origin and destination. The number (simply, the number of session time intervals or BIN) can be calculated and used as a persistent communication index. The detection device 100 may calculate the number of session time intervals using the number of timestamps (ts_unique) and the connection maintenance time (duration) among the statistical index values of Table 2. If the time interval is shorter than the attacker's access period, the command control channel may not be created in a certain time interval even though the attacker periodically attacks. Therefore, a time interval is set to detect a command control channel that is created periodically. For example, the time interval may be set to a time sufficiently longer than the access period of the command control channel, for example, 1 hour or 30 minutes. can In the description, it is assumed that the time interval is set in units of one hour.

The detection device 100 may determine that a session is created if a session is created even once during a time interval, and may accumulate the number of time intervals in which a session is generated during a certain period of time. Based on the timestamp of the first packet generated for session connection, it is possible to check whether a session is created in each time interval, so the detection device 100 calculates the number of session time intervals (BIN) using the timestamp number (ts_unique). can be calculated For example, in session data for 12 hours between the infected computing device 200-1 and the attacker server 300, if the number of timestamps (ts_unique) is 12, the number of session time intervals (BIN) is 12, which is value can be used.

On the other hand, there may be sessions with a duration of more than a time interval (1 hour). Since the timestamp is the session occurrence time, the number of time intervals (BIN) in which sessions exist is accurately calculated only by the number of timestamps (ts_unique). It may not be. Therefore, as shown in Equation 1, the detection device 100 calculates the quotient of dividing the connection maintenance time of each session by the time interval as an offset, and adds the offset to the number of timestamps (ts_unique), so that the connection maintenance time is The number of time intervals in which sessions longer than the time interval exist may be corrected. For example, in session data for 12 hours between the computing device 200-2 and the general external server 400, three sessions are created, and two sessions having a connection duration of 1 hour or more exist In this case, the offset becomes 2 due to the two sessions in which the connection duration is longer than 1 hour. Accordingly, in connection between the computing device 200 - 2 and the general external server 400 , the number of time intervals in which the session exists (BIN) may be calculated as 5.

[Equation 1]

Persistence value = number of session time intervals (BIN) = number of timestamps (ts_unique) + offset

In this way, the detection device 100 may calculate the continuous communication index of the source and the destination using the number of session time intervals (BIN). The closer the persistence value is to the total number of time intervals, the more persistent and frequent the connection, so the source and destination of the connection can be estimated to be the infected computing device and the attacker's server.

In the following, the confidentiality communication index is explained. Concealment is a communication indicator for detecting a command execution session maintained for a long time through tunneling or the like.

Referring to FIG. 3 , the infected computing device 200-1 is connected to the attacker server 300 through tunneling such as a RAT program, and performs an operation according to the attacker's command. Then, the infected computing device 200-1 continuously maintains the connected session while performing the commanded operation. Therefore, compared to the number of sessions generated by normal servers and clients, the attacker server 300 of the infected computing device 200-1 has a relatively low frequency of session creation. In order to identify the action of the infected computing device 200-1 executing the command of the attacker server 300, the detection device 100 uses the session data of each session data group to determine the connection between the corresponding source and destination. A communication index representing concealment can be calculated.

The detection device 100 may use the number of sessions generated versus the number of session time intervals (BIN) as a confidentiality communication indicator in session data of a certain period grouped to the same source and destination. The concealment value may be calculated as a value obtained by dividing the number of sessions by the number of session time intervals (BIN), for example, as in Equation 2, and the number of time intervals may be squared to give a weight to the number of time intervals. For the number of sessions, count among the statistical index values in Table 2 can be used.

[Equation 2]

Confidentiality value = number of sessions/BIN

In this way, the detection device 100 may calculate the confidentiality communication index of the source and the destination using the number of created sessions compared to the number of session time intervals (BIN). If the confidentiality value is smaller than the reference value, it can be estimated that the computing device is performing an operation according to an attacker's command.

In the following, accessibility communication indicators are described. Accessibility is a communication indicator for detecting a backdoor type session that maintains a session by performing minimal communication to bypass information protection systems such as stateful inspection.

A state tracking based information protection system monitors the communication state between a client and a server, creates and manages a connection table, and controls detailed traffic. A backdoor-type session may be used so that the attacker server 300 bypasses this and accesses the infected computing device 200-1. After the infected computing device 200-1 establishes a session with the attacker server 300, it uses a backdoor type session to prevent the information security system from blocking the session and performs minimum communication to continuously maintain the session. . Here, the formation of a link for reverse access by the infected computing device 200-1 through tunneling with the attacker server 300 is called a backdoor type session.

The detection device 100 may use the number of packets versus the connection maintenance time as an accessibility communication indicator in session data of a certain period grouped to the same source and destination. The detection device 100 can assume that the infected computing device 200-1 and the attacker server 300 bypass the information protection system with a backdoor type session if the session is connected for a long time but the number of transmitted packets is small.

As shown in Equation 3, the detection device 100 may use a value obtained by dividing the sum of the connection maintenance times (duration_sum) by the sum of source transport packets (src_pkts_sum) and the destination transport packet sum (dst_pkts_sum) as an accessibility communication indicator. . In Equation 3, the sum of the connection maintenance times (duration_sum) may be added to the denominator, and the accessibility values may be normalized.

[Equation 3]

accessibility value = duration_sum/(duration_sum + src_pkts_sum+ dst_pkts_sum)

In this way, the detection device 100 may calculate the accessibility communication index of the source and the destination using the sum of the connection maintenance times (duration_sum), the sum of source transport packets (src_pkts_sum), and the destination transport packet sum (dst_pkts_sum). . If the accessibility value calculated by Equation 3 is close to the reference value (eg, 1), the number of transmitted packets is small, so the source and destination maintain a session by performing minimal communication to bypass the information protection system can be inferred.

In the following, signaling communication indicators are described. Signalability is a communication indicator for detecting a beacon type session to bypass the information protection system and create a command control channel. Here, the beacon type session means a session that transmits a small amount of data.

Referring to FIG. 4 , since a normal server and a client create a session to transmit data, data is included in a packet as much as possible and transmitted according to a predetermined format. On the other hand, the infected computing device 200-1 and the attacker server 300 include a small amount of data in the packet and transmit it to maintain the session.

The detection device 100 may use the amount of transmitted data compared to the number of transmitted packets as a signaling communication index in session data of a certain period grouped to the same source and destination. The detection device 100 may determine a session in which communication is performed with minimum data to maintain the session through a signaling communication indicator.

As shown in Equation 4, the detection device 100 may use a value obtained by dividing the sum of source and destination transmission bytes (src_bytes_sum + dst_bytes_sum) by the sum of source and destination transmission packets (src_pkts_sum + dst_pkts_sum) as a signaling communication index. Since the maximum size of one packet is 1500 bytes by MTU, the signaling value may be normalized by dividing by 1500 in Equation 4.

[Equation 4]

Signaling value = (src_bytes_sum+dst_bytes_sum)/(src_pkts_sum+dst_pkts_sum)

In this way, the detection device 100 may calculate the signaling communication indicator of the source and destination using the amount of data transmitted compared to the number of packets. If the signality value is smaller than the reference value (a value close to 0), it can be assumed that the source and the destination are in a state of maintaining a session by performing minimal communication to bypass the information protection system.

In the following, the directional communication indicators are explained. Directionality is a communication indicator that detects signs of information leakage by checking the directionality of data flow based on the amount of inbound/outbound data transmitted through the session.

Referring to FIG. 5 , since a data flow between a normal server and a client involves many requests from a client to a server, the amount of inbound data is greater than the amount of outbound data. On the other hand, since the infected computing device 200-1 operates to transmit internal data to the attacker server 300, if a data leakage action occurs in the infected computing device 200-1, the amount of outbound data increases, resulting in a decrease in data flow. A characteristic in which the directionality is reversed to the outbound occurs.

The detection device 100 measures the direction of data flow based on the amount of inbound and outbound data transmission. The detection device 100 may calculate a directional communication index by using the sum of source transmission bytes (src_bytes_sum) and the destination transmission byte sum (dst_bytes_sum) in session data of a certain period grouped to the same source and destination. As shown in Equation 5, the detection device 100 may use a value obtained by dividing the difference between the sum of source transmitted bytes (src_bytes_sum) and the destination sum of transmitted bytes (dst_bytes_sum) by the sum of all transmitted bytes as a directional communication index.

[Equation 5]

Direction value = (src_bytes_sum-dst_bytes_sum)/(src_bytes_sum+dst_bytes_sum)

In this way, if the amount of source transmission (outbound) data is greater than the destination transmission (inbound) data amount, the detection device 100 determines that it is a data flow that occurs differently from the purpose of the normal server, and establishes a connection suspected of data leakage. can be estimated

In the following, scalable communication metrics are explained. Scalability is a communication index to detect servers with potential threats that can cause multiple effects on the internal network.

The computing device 200-1 infected with malicious code is connected to the attacker's server 300 and attempts an additional infection to the internal network, thereby expanding the infection scale. Due to the spread of internal network infection, the number of sessions connected to a specific destination increases.

The detection device 100 may count the number of connected source IP addresses for each destination specified by the destination IP address and port in the session data, and calculate the number of source IP addresses as a scalability communication index. If the scalability value of a specific destination increases over time, it can be detected as an internal network infection spread.

In this way, the detection device 100 can use the scalability value to identify the server to which the internal computing devices are connected, estimate the identified server as a server that can cause multiple effects on the internal network, and The degree of spread of the infection can be determined.

For example, the detection device 100 may calculate communication parameters for a source and destination pair, as shown in Table 4, using a session data group grouped by date into source and destination.

date src_ip dst_ip dst_port persistence
(BIN) signaling accessibility directional concealment 0101 a A 1604 17 0.045 0.858 0.163 0.0526 0101 b B 81 18 0.032 0.833 -0.252 0.1875 0101 c C 4782 24 0.053 0.152 0.215 1293 0102 a A 1604 21 0.045 0.858 0.159 0.043 0102 b B 81 21 0.032 0.833 -0.253 0.043 0102 c C 4782 24 0.053 0.158 0.215 1515

Since the persistence value (BIN) of source a-destination A and source b-destination B is above a certain level, the signality value is close to 0, the accessibility value is close to 1, and the concealment value is close to 0, the detection device In (100), they can be assumed to be the infected computing device and the attacker server that have minimal communication for the purpose of maintaining a session. Since the persistence value of source c-destination C is close to the total number of time intervals and the signaling value is close to 0, the detection device 100 periodically accesses destination C until the infected source c receives a command from destination C. It can be inferred that it transmits its status or confirms the command.

6 is a flowchart of a malicious communication detection method according to an embodiment.

Referring to FIG. 6 , the detection device 100 collects session data in which computing devices and external servers are connected (S110).

The detection device 100 groups session data for a certain period (eg, one day) with the same origin and destination, and calculates a statistical indicator value for each grouped session data group (S120). The detection device 100 may group session data of a certain period into session data of the same source and destination. The detection device 100 may group all session data into analysis data of each connection having the same source and destination using the source IP address, destination IP address, and destination port. The detection device 100 determines the number of timestamps, the sum of connection maintenance times, the sum of source transmission bytes, the sum of destination transmission bytes, the sum of source transmission packets, the sum of destination transmission packets, and the number of sessions in the analysis data of each connection. Statistical index values can be calculated.

The detection device 100 extracts communication indicators for the corresponding source and destination using statistical indicator values of each session data group (S130). Communication metrics may include persistence, concealment, accessibility, signaling, directionality and scalability. Here, scalability can be calculated based on the destination and the number of departure points connected to it.

The detection device 100 detects an arbitrary source and destination as an infected computing device and an attacker server related to malicious communication using communication indicators for each source and destination pair (S140). The detection device 100 may look at a change pattern of the communication indicator over time and detect whether an arbitrary source and destination are an infected computing device and an attacker server related to malicious communication. The detection device 100 may detect the type of malicious communication using communication indicators. The detection device 100 may detect malicious communication by using one communication index having distinct characteristics of malicious communication among communication indexes, and may detect malicious communication by synthesizing a plurality of communication indexes. Through this, the detection device 100 may infect the computing device of the internal network so that the attacker server bypasses the information protection system, and detects whether the infected computing device has a session connection with the attacker server.

In this way, according to the embodiment, by analyzing statistical changes in internal communication (East-West) and external communication (North-South) on a session basis in an on-premise or cloud network, malicious communication can be detected in a short time. Detect and respond to threat signs.

According to the embodiment, additional damage can be minimized by backtracking and responding to the detected malicious communication.

According to the embodiment, zero-day and unknown threat signs may be detected in advance through communication indicators including persistence, concealment, accessibility, signaling, directivity, and scalability.

According to the embodiment, an artificial intelligence model for identifying malicious and normal behaviors may be trained from the annual relationship between communication indicators using the collected communication indicators.

The embodiments of the present disclosure described above are not implemented only through devices and methods, and may be implemented through a program that realizes functions corresponding to the configuration of the embodiments of the present disclosure or a recording medium on which the program is recorded.

Although the embodiments of the present disclosure have been described in detail above, the scope of the present disclosure is not limited thereto, and various modifications and improvements of those skilled in the art using the basic concepts of the present disclosure defined in the following claims are also included in the present disclosure. that fall within the scope of the right.

Claims (15)

As a method of operating a malicious communication detection device,
Collecting session data in which managed computing devices and external servers are connected;
Grouping session data for each period with the same origin and destination, and calculating a statistical index value for each grouped session data group;
Extracting communication indicators for the corresponding source and destination using statistical indicator values of each session data group; and
Detecting an arbitrary source and destination as an infected computing device and an attacker server involved in malicious communication using communication indicators for each source and destination pair.
Operation method including. In paragraph 1,
wherein the communication indicators include at least a plurality of persistence, concealment, accessibility, signaling, directivity, and extensibility. In paragraph 2,
The persistence is a communication index used to detect a session that is periodically created based on the number of time intervals in which sessions exist, and is calculated based on the number of timestamps and the connection maintenance time among the statistical index values. In paragraph 2,
The concealment is a communication index used to detect a session with a low frequency of session creation and a long-term session, and is calculated based on the number of sessions among the statistical index values. In paragraph 2,
The accessibility is a communication indicator used to detect a backdoor-type session that maintains a session by performing minimal communication, and is calculated based on the sum of connection maintenance times compared to the sum of source and destination transmission packets among the statistical index values. to be, how it works. In paragraph 2,
The signaling is a communication index used to detect a beacon-type session maintaining a session by performing minimal communication, and is based on the sum of source and destination transmission bytes compared to the sum of source and destination transmission packets among the statistical index values. Method of operation, calculated as In paragraph 2,
The directionality is a communication index used to detect a session used for information leakage based on the amount of outbound data, which is calculated based on a difference between a sum of source transmission bytes and a destination transmission byte sum among the statistical index values. Way. In paragraph 2,
The scalability is a communication index used to detect the spread of an internal network infection based on an increase in the number of sources connected to a specific destination over time, and is calculated based on the number of source IP addresses connected to each destination. In paragraph 1,
The step of detecting
Detecting an infected computing device and an attacker server related to the malicious communication by comparing a persistence value, an accessibility value, and a signaling value among the communication indicators for an arbitrary source and destination with reference values. In paragraph 1,
The step of detecting
An operation method of detecting an infected computing device and an attacker server related to data exfiltration communication by comparing a value of confidentiality and a value of directionality and reference values among the communication indicators for an arbitrary source and destination. In paragraph 1,
The above statistical index value is
A method of operation, including a number of timestamps, a sum of connection hold times, a sum of source transmitted bytes, a sum of destination transmitted bytes, a sum of source transmitted packets, a sum of destination transmitted packets, and a number of sessions. As a method of operating a malicious communication detection device,
Collecting session data of origin and destination;
Based on the session data, a statistical index value including the number of timestamps, the sum of connection maintenance times, the sum of source transmitted bytes, the sum of destination transmitted bytes, the sum of source transmitted packets, the sum of destination transmitted packets, and the number of sessions. step of calculating ,
Extracting communication indicators used for detecting malicious communication using the statistical indicator values; and
Detecting the source and the destination as an infected computing device and an attacker server using the communication indicators.
Operation method including. In paragraph 12,
The step of detecting
Detect whether the source and the destination are the infected computing device and the attacker server related to malicious communication by comparing values of persistence, accessibility, and signality among the communication indicators with reference values;
The persistence is a communication index used to detect a session that is periodically created based on the number of time intervals in which sessions exist, and is calculated based on the number of timestamps and the connection maintenance time,
The accessibility is a communication index used to detect a backdoor-type session maintaining a session by performing minimal communication, and is based on the sum of the connection maintenance time compared to the sum of the source transport packets and the destination transport packets. is calculated,
The signality is a communication index used to detect a beacon-type session maintaining a session by performing minimal communication, and is the sum of the source transport bytes and the destination compared to the sum of the source transport packets and the destination transport packet. The method of operation, calculated based on the sum of transmitted bytes. In paragraph 12,
The step of detecting
Detect whether the source and the destination are the infected computing device and the attacker server involved in data exfiltration communication by comparing the value of confidentiality and the value of directionality and reference values among the communication indicators;
The concealment is a communication index used to detect a session that has a low frequency of session creation and is maintained for a long time, and is calculated based on the number of sessions,
The directionality is a communication index used to detect a session used for information leakage based on an outbound data amount, and is calculated based on a difference between the sum of source transmission bytes and the destination transmission byte sum. In paragraph 12,
Detecting the spread of an internal network infection by the destination when the number of connected origins connected to the destination increases over time.
Further comprising a method of operation.

Images